Support for credentialless iframes to address COEP header needs

[coatless]

Right now, the video short code {{ video }} provides a standard iframe that automatically assumes the pages default headers.

quarto-cli/src/resources/extensions/quarto/video/video.lua

Line 81 in b0d668e

local SNIPPET = [[<iframe data-external="1" src="{src}{start}"{width}{height} title="{title}" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>]]

quarto-cli/src/resources/extensions/quarto/video/video.lua

Line 108 in b0d668e

local SNIPPET = [[<iframe data-external="1" src="{src}"{width}{height} allowfullscreen="" title="{title}" allow="encrypted-media"></iframe>]]

quarto-cli/src/resources/extensions/quarto/video/video.lua

Line 124 in b0d668e

local SNIPPET = [[<iframe data-external="1" src="{src}"{width}{height} frameborder="0" allow="autoplay; title="{title}" fullscreen; picture-in-picture" allowfullscreen></iframe>]]

Would it be possible to have the short-code support or set by default a credentialless state? e.g.

<iframe credentialless src="https://example.com">

The credentialles state is important for Cross-Origin-Embedder-Policy
(COEP) environments. For webR startup and package installs, we need to set the COOP and COEP headers to significantly speed up the availability of in the browser R editor. We're running into issues with the iframe because when we turn on COEP, then any embedded lecture video from YouTube using the video shortcode is blocked with "youtube refused to connect."

By having the <iframe> tag include credentialless, the iframe is loaded from a different, empty context. In particular, it is loaded without cookies. This allows for the removal of the COEP restriction for just the video will allow the entire page to still fall under the custom COOP and COEP headers.

For more background, please see:

• Background on iframe-credentialless set: https://developer.chrome.com/blog/iframe-credentialless/
• Initial Proposal: https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md

Where the issue arose: coatless/quarto-webr#8

[cscheid]

This seems like something we should 100% support. I'll open an issue to track, thanks!

We're in hard-freeze mode for the upcoming 1.3 release, but we'll do this early in the 1.4 cycle, since it seems pretty low-risk.

[coatless]

Just a heads up, I think this is only supported on chromium-based browsers so far.

I've gently poked the Mozilla folks for their position:

mozilla/standards-positions#628

[ghost]

Thanks for reporting this @coatless and the great supporting research. Let's move the conversation to #4914.